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Process equivalences are formal methods that relate programs and system which, informally, behave 
in the same way. Since there is no unique notion of what it means for two dynamic systems to display 
the same behaviour there are a multitude of formal process equivalences, ranging from bisimulation 
to trace equivalence, categorised in the linear-time branching-time spectrum. 

We present a logical framework based on an expressive modal fixpoint logic which is capable 
of defining many process equivalence relations: for each such equivalence there is a fixed formula 
which is satisfied by a pair of processes if and only if they are equivalent with respect to this relation. 
We explain how to do model checking, even symbolically, for a significant fragment of this logic that 
captures many process equivalences. This allows model checking technology to be used for process 
equivalence checking. We show how partial evaluation can be used to obtain decision procedures for 
process equivalences from the generic model checking scheme. 

1 Introduction 

In concurrency theory, a process equivalence is an equivalence relation between processes — represented 
as states of a labeled transition system (LTS) — that aims at capturing the informal notion of "having 
the same behaviour". A theory of behavioural equivalence obviously has applications in formal systems 
design because it explains which programs or modules can be replaced by others without changing the 
system's behaviour 

There is no single mathematical notion of process equivalence as an equivalence relation on LTS. 
Instead a multitude of different relations has been studied with respect to their pragmatics, axiomatis- 
ability, computational complexity, etc. These form a hierarchy with respect to containment, known as the 
linear-time branching -time spectrum ||6l. We refer to the literature for a comprehensive overview over 
all these equivalence relations at this point. 

There are a few techniques which have proved to yield decision procedures for certain process equiva- 
lences, for example approximations [9], characteristic formulas [1,5] and characteristic games IT41I13II . 
Often, for each equivalence notion, the same questions are being considered independently of each other, 
like "can the algorithm be made to work with symbolic (BDD-based) representations of LTS?", and the 
answer may depend on the technique being used to obtain the algorithm. 

In this paper we introduce a further and generic, thus powerful technique, using the notion of defining 
formulas. We present a modal fixpoint logic which is expressive enough to define these equivalences in 
the sense that, for an equivalence relation R, there is a fixed formula Or which evaluates to true in a pair of 
processes if and only if they are related by R. We also give a model checking algorithm for this logic. This 
can then be instantiated with such formulas Or in order to obtain an equivalence checking algorithm for 
R. Furthermore, the model checking algorithm can easily deal with symbolic representations. Thus, this 
yields BDD-based equivalence checking algorithms for all the process equivalences mentioned in this 
paper. Moreover, with this generic framework, the task of designing an equivalence checking algorithm 
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for any new equivalence notion boils down to simply defining this relation in the modal fixpoint logic 
presented here. 

This is related to work on characteristic formulas, yet it is different. There, in order to check two 
processes P and Q for, say, bisimilarity, one builds the characteristic formula describing all processes 
that are bisimilar to P and checks whether or not Q \= holds. Here, we take a fixed formula and 
check whether or not {P, Q) \= holds. Note that the former cannot be made to work with a symbolic 
representation of P whereas the latter can. In general, using defining instead of characteristic formulas 
has the advantage of lifting more model checking technology to process equivalence checking. 

The use of fixed formulas expressing process equivalences is being made possible by the design of a 
new modal fixpoint logic. It is obtained as the merger between two extensions of the modal /X -calculus, 
namely the higher-dimensional jx-calculus |12| and the higher-order jx-calculus HFL fl6T. The 
former allows formulas to make assertions about tuples of states rather than states alone. This is clearly 
useful in this setup given that process equivalences are binary relations. Not surprisingly, it is known for 
instance that there is a formula in — the fragment speaking about tuples of length 2 — that expresses 
bisimilarity. On the other hand, HFL's higher-order features allow the logic to express properties that are 
more difficult than being polynomial-time decidable. It is known for instance that it can make assertions 
of the kind "for every finite word w there is a path labeled with w" which is very useful for describing 
variants of trace equivalence. 

The rest of the paper is organised as follows. Sect. [2]recalls the linear-time branching-time hierarchy. 
For the sake of completeness, the exact definitions of these relations are presented in an appendix. Sect.|3] 
defines the aforementioned modal fixpoint logic. Sect.|4]realises the reduction from process equivalence 
checking to model checking fixed formulas by simply spelling out the definition of those equivalence 
notions in this modal fixpoint logic. Sect.[5]shows how to do model checking for the fragment of this logic 
which is most significant to process equivalence checking, and how the naive model checking algorithm 
can be optimised using need-driven function evaluation and partial evaluation. Sect. [6] concludes with 
ideas on further work in this direction. 



2 Process Equivalences 

In this section we present the hierarchy of the linear-time branching-time spectrum, as it can be seen 
from Fig.[Tl the greatest equivalence is finite trace equivalence, and the finest one is bisimulation. First 
we introduce some preliminaries and notation. We use letters a,b,... to denote actions, and letter t to 
denote a trace. Letters P,Q,... denote processes. 

A labeled transition system (LTS) over a set of action^ Act = {a,b,...} is a triple (Pr,Act,— >), 
where Pr is a set of states representing processes. Act is the set of actions, and — > C Rr x Act x Pr is a 
transition relation. We write P -2^ 2 for (P, a, g) E ->. I{P) := {a e Act [ 3Q.P Q} denotes the set of 
initial actions of a process P. 

A finite trace t G Act* of Pq, is a finite sequence of actions ai...a„ s.t. there aiePo...Pn with/",-! -^Pn 
for all / = 1 , . . . , n. We write P 2 if there is a trace f of P that ends in Q. 

Since the main purpose of this paper is not to focus deeply on the semantics of process equiva- 
lences, we do not address the definitions in this section. For further details, the reader can find the exact 
definitions of all process equivalences in Appendix [A] 



For simplicity, we do not consider state labels. 
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Figure 1 : The linear-time branching-time hierarchy. 

3 A Higher-Order Higher-Dimensional /i -Calculus 

3.1 Combining Higher-Order and Higher-Dimensionality 

In this section, we introduce a logical formalism, called /^HL® that extends the standard modal /x- 
calculus. It can be seen as the combination of two extensions of the /i -calculus that were previously de- 
fined: the higher-order fixpoint logic HFL [16], and the higher-dimensional modal mu-calculus ri2l . 
First we build some intuition about the use of higher-order and higher-dimensional features in modal log- 
ics. 

In HFL, formulas may denote not only sets of processes, but also predicate transformers, i.e. func- 
tions from sets of processes to sets of processes, and more generally any higher-order functions of some 
functional type built on top of the basic type Pr of set of processes. For instance, the formula 

Ax:Pr. {a)x A [b]l. 

denotes the function that takes a predicate <I> of type Pr, i.e. a set of processes, and returns the predicate 

b 

(a)<I> A [b\^-, i.e the set of processes P for which P -f^ and P-^P' for some P' \= Similarly, the 
formula 

A/:Pr^Pr. Xx:Vr.f [fx) 
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denotes the function that maps any predicate transformer / to the predicate transformer 

Like in the standard -calculus, to every monotone function of type Pr Pr denoted by a formula 
Xx : Pr. 0, HFL associates a least fixed point /ix : Pr. <I>. In HFL, this construction generalises well 
to any monotone function of type t — )■ T, thanks to a construction based on the pointwise ordering of 
functions we recall below. For instance, the formula jJ./ : Pr — )• Pr. / denotes the constant function 
Xx. _L, since it is the smallest predicate transformer, according to the pointwise ordering, that is fixed by 
the identity function. A bit more elaborated, the formula 

;U/ : Pr ^ Pr. Ax : Pr.A); : Pr. (xAy) V f {a)x {b)y 

can be unfolded as 

fxy = (xAy) V f {a)x {b)y = (xAy) V {{a)xA{b)y) V f {aa)x {bb)y = ... 

and thus denotes the function Xx,y. V,i>o {<^)"x A {b)"y. 

The higher-dimensional -calculus extends the /i -calculus in a different way. In logical formu- 
las do not denote sets of processes, but sets of tuples of processes. The i-th component of a tuple can be 
changed by the i-th modality (a),-. For instance, the 2-dimensional formula (a)iT A {b)2T denotes the 

set of pairs {P,Q) such that P-^P' and Q-^Q' for some P' ,Q' . The modality (a), only modifies the 
j-th component of the tuple, and leaves all other components unchanged, which validates some rules like 

(commutation) {a)i{b)2^ ^ {b)2{a)i<t> 

(scope extrusion) (a)^ (<I> A *F) <^ {a)d^ A *P (dim(*F) < <i) . 

We associate a type Pr^ to the formulas of the J-dimensional -calculus. Note that there is a signifi- 
cant difference between e.g. Pr2 and the product type Pr x Pr: the former is the type of binary predicates 
over processes, whereas the latter is the type of pairs of unary predicates. There is indeed no obvious way 
of representing ^® in HFL, although HFL may encode some of product types using standard techniques. 



3.2 Syntax and Semantics 

Let Act be as above. Fix d gN. We assume an infinite set Var = {x,y,z, . . .} of variables. A formula is a 
<I> that can be derived from by 

<I),»F ::= T | {a)i^ | | O A»P | x | AxV T. <I> | ^x : T.O | <I> »F (formulas) 
V ::= + I — I ± (variances) 
T,a ::= Pr^ | — ;> a (types) 

where 1 < / < J, a € Act and x € Var. 

The typing arrow — is — as usual — right-associative. Thus, every type is of the form T = tJ ' — > 
T,5j"' — )• Prj for some m > 0. For such normalised types we can define their order simply as 
ord{x) := max{l +ore/(T,) : / = 1, . . . ,m} with the convention of max0 = 0. 

Formulas are ruled by the type system depicted on Fig. |2l Intuitively, the aim of the type system 
is to prevent applications of non-functions to formulas, as well as fixpoint definitions of non-monotone 
functions, like jj.x.Xy.-'X y. In order to exclude the latter, variances are introduced for each function 
parameter. 
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^, _^ ^ Fh^-.Pr, i<d -(OhOiPr^ rhOiPr^ rh»F:Pr, 

r h T : Pr^ 



rh («),<!> :Prrf rh^<I>:Prd rh<I>A»P:Prd 

vG{+,±} r,x":ah<I>:T r,x+:Th<I>:T 



T ,x^' ■.z'^x:z rh Ax" : a. O : a*' T T h /xx(yi, . . . : t. O : t 

ri-<I>:c7^^T rh»F:a ^(r)h»F:c7 
Figure 2: The type system of /iHL^. 



For d>\ and o > 0, let ^uHL^ consist of all closed formulas such that the statement ©HO: Pr^ 
is typable, and each type annotation in <I> has order at most o. In general, a statement of the form 
r h <I> : T asserts that the formula has type T under the assumptions T, which is a list of the form 
Xj' : Ti, . . . : Tm- For such a list of assumptions, -iF is obtained from F by swapping the variance 
of each variable: + becomes — and vice-versa, and it remain the same. Thus, jUHL^ consists of all 
well-typed and closed formulas of type that should denote a set of /-tuples in an LTS and use at most 
higher-order features of order o. Let 

lim.^ := Ui"HL2 , mHL^ := U ^HLS , ■= U U M^L^ 

d>l o>0 o>Od>l 

Before we can explain the semantics of a formula we need to give the types a semantics too. Let 
^ = (Pr,-, Act,— >,) for / = 1, . . . ,(i be LTS. We take them to be fixed and simply write |t] instead of 
xhe semantics of a type is inductively defined as follows. 

• [[Pr^] is the set of all sets of J-ary predicates of processes, ordered by inclusion, i.e. [Pr^J = 
(V(Pri X ... X Pr^), <PrJ, with ^ <Pr, ^' if ^ C 

• [[t+ — )• aj is the set of monotone functions from [tJ to [aj, ordered by pointwise ordering, i.e. 
[T+ ^ al = {/ G [al W : yx,y. x <, y ^ f{x) <a f{y) } and / <,+^^ g if for all x G [tJ, 

fix) <ag{x). 

• similarly [t^ — >• o\ is the set of co-monotone functions, and a] is the set of all functions 
from |t]] to [aj, ordered by pointwise ordering. 

All these domains are complete lattice. As a consequence, any function / € [t+ — )■ tJ has a least fixpoint 
according to the Knaster-Tarski Theorem |[10l[T5l; we write LFP^: / to denote it. 

The semantics of a formula <I> of type T with respect to an environment F, the underlying LTS 
S^\,...,^d and an interpretation r\ of its free variable is an element of defined as follows. Let 
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Pr'^ := Pri X ... X Pr^. 



|rhT:Prrf]^ = Pr'' 

[r h {a)i^ : Pr^l^ = {(Pi , . . . G Pr'' : ^p! G Pr,-. Pi^p! and 

(Pi,...,P/,...P^)G[rha):PrJ^} 

[rh-<3>:PrJ^ = Pr''\Hr)ha>:PrJ^ 

[rha)Al':PrJ^ = lrha):Pr^]]^ n |rh1':Pr^]^ 

[r h Ax" : (7. a> : = / such that for all e G [ct], f{e) = [r,x'' : <7 h a> : t]^[^^,] 

[rh/ix: T.^ : = LFP^ [rhAx+ : T.a> : 

[rh^1':Tl^ = f{e),wheTef=lrh^:o'^Tjr^mde = lr'\-^>:G}n 



If h ^ : T and m G |t1, we write m |= ^> to denote that m G |l- ^ : tJ. 

We assume standard notations for derived boolean and modal operators, and write OV*? for -i(-i<J> A 
or [a]i^ for -.(a),-.<I>, or <I> ^ »F for A V (^O A etc. If T l- <I) : T+ T2 and T h 
'J' : — > T3 are two monotone functions, we write ^ as a shorthand for the monotone function 
Ax+ : Ti . (^» x). We will also write ^ix{yi ,...,ym) : o^^ ^ ... ^ (7^ T.O instead of /ix : T.Xyi : 
a[' . . . Xym '■ •<I>- Finally, 4>[*i'/x] is obtained from ^> by replacing every free occurrence of the variable 
X with the formula 



4 Process Equivalences as Formulas 

In this section, we show how all process equivalences of the linear-time branching-time hierarchy can be 
characterised by /xHL® in a certain sense. To improve readability, we will often keep the type system 
implicit, and use different variable symbols in order to suggest the type. For instance, we write X,Y 
to range over sets of tuples of processes, F, G to range over first-order functions of type Prj — > • • • — >^ 
Pr2" — > Pr2, whereas ^ ranges over second-order functions. We write <I>[1 -n- 2] for the formula <I> in 
which {a)\ and {a)2 are swapped for any a G Act, equally for [a]i and [a]2. For any t = ai...a„ E Act* 
we write {t)i^ to abbreviate (ai), . . . {an)i^, and similarly for [f],. 

We say that an equivalence relation ^ over processes is characterised by a closed formula ^ of type 
Pr2 if for all processes P, Q 

P.^Q ^ {P,Q)h^- 

We will say that a formula <I> tests for ^ if -lO A -i<I>[l 2] characterises ^. Intuitively, <I> tests for 
P ^ Q if it is true when P presents a behavior that Q cannot reproduce. For readability, we only present 
formulas that test process equivalences, but it is straightforward to derive formulas that characterise 
process equivalence. We later write <3>^ for a formula that tests ^. 

Let us first consider trace equivalence. If we were to consider a logic with infinite disjunctions, 
a formula testing finite trace equivalence would be V;GAct*(OiT A [fJi-L- Encoding such an infinite 
disjunction is not easy in general, and it is indeed impossible in the ordinary /i-calculus. But the /^HL® 
formula 



a>t = {^F{X,Y). {XAY) V y F {a)iX [a]2Y) T ± 

a€Act 
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{ {a)iX : a G Act} 


{T} 


completed trace 


{ {a)iX : a G Act} 


{A«eActHl^} 


failure 


{ {a)iX : a G Act} 


{fail(A) : A C Act} 


failure trace 


{{a)iX : a G Act} U {XAfail(A) : AC Act} 


{T} 


readiness 


{ {a)iX : a G Act} 


{ ready(A) : A C Act} 


ready trace 


{ {a)iX : a G Act} U {X Aready(A) : A C Act} 


{T} 



equivalence 


Mod 


Test 


simulation 


{{a)i[a\2X : a G Act} 


_L 


completed simulation 


{{a)i[a]2X : a G Act} 


deadlocki <;?^ deadlock2 


ready simulation 


{{a)i[a]2X : a G Act} 


Vacaci readyi (A) ready2(A) 


2-nested simulation 


{{a)i[a]2X : a G Act} 


<I>s[l o2] 


bisimulation 


{(a)i[a;]2X, (a)2[fl:]iX : a G Act} 


_L 



Figure 3: Instantiations of the parameters for the template formulas. 



is equivalent to the one with the infinite disjunction, and thus tests trace equivalence. 

Let us consider now all other equivalences of the lower part of the hierarchy. As all these equivalences 
are variations around finite trace equivalence, it can be expected that the formulas testing them are very 
similar. We introduce the template formula TemplateTrace(Mod, Pred) = 

V (^^F{X,Y). [XAY] y y F ^»P[1 f^2]hF/X]) ^<I>[1 o 2] 

OePred 'I'eMod 

for some finite sets Pred and Mod of O-order formulas. For instance, the above formula testing trace 
equivalence is obtained for Pred = {T} and Mod = {{a)iX : a G Act}. Other instantiations of these 
two parameters provide all equivalences above simulations, c.f. the upper table in Fig. [3] Let fail (A) = 
AaeA Wi^ and ready (A) = Aa£A(«)i-L A A^^aHi-L- 

Formulas testing the relations below simulation equivalence can also be derived from a common, but 
simpler template. In these case, no higher-order features are needed. Let TemplateSim(Mod,Test) = 

HX. Test V V 

l-eMod 

where Test stands for an jUHL2 formula, and Mod is a finite set of /iHLj formulas. The instantiations 
for the respective equivalence relations are presented in the lower table of Fig. [3l In the case of 2-nested 
simulation equivalence, <I>s stands for the formula that is obtained from this template for simulation 
equivalence. We define deadlock,- = AaeActi^]!^- 

The only equivalence that is shown in Fig. [T]but not dealt with so far is possible-futures equivalence. 
It is definable in /XHL2 through 

(^H^. XGi,G2.XX. Gi{G2X)V V ((a)i oGi) (H2oG2)X)) XX.X XX.X »Ft 

aeAct 
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where = *J't V<I>t[l f-)- 2] is the negation of the characteristic formula for trace equivalence. It remains 
to be seen whether or not it is also definable in /xHLj like the other equivalences are. 

5 Model-Checking juHL^ 

5.1 From Model Checking to Process Equivalence Checking 

The characterisations of process equivalences by modal fixpoint formulas give a uniform treatment of the 
descriptive complexity of such equivalence relations. However, they do not (yet) provide an algorithmic 
treatment. The aim of this section is to do so. To this end, we explain how to do model checking for 
/xHL^. In fact, much less suffices already. Remember that the input to a model checking procedure 
is a pair consisting of — typically — an LTS and a formula. Higher-dimensionality of the underlying 
logic means that the input is a pair consisting of a tuple of LTS on one side and a formula on the other. 
Now any algorithm that does model checking for a pair of LTS and any formula given in the previous 
section is in fact an algorithm that decides the process equivalence Thus, for these purposes it suffices 
to explain how to do model checking for any fragment that encompasses the formulas given there. 

Here we restrict our attention to the fragment /1HL2. This captures all process equivalences consid- 
ered here apart from possible-futures equivalence, because all their characteristic formulas are naturally 
of dimension 2 — they describe a binary relation — and are of order 1 . The extension to higher dimen- 
sionality is straight-forward. The extension to higher orders is also possible but not done here for ease of 
presentation. 

5.2 A Symbolic Model-Checking Algorithm 

We give a model checking algorithm for /1HL2 that can be seen as a suitable extension of the usual 
fixpoint iteration algorithm for the modal /i -calculus. It merges the ideas used in model checking for the 
higher-dimension -calculus iflTI and for higher-order fixpoint logic fT.T]. 

Let be a well-typed formula of /xHLj. Then each of its subformulas has a type of the form 
^ ... ^ Prj" Pr2 for some m > 0. Algorithm [T] takes as input two LTS 5; = (Pr,, Act,— for 
/ S {1,2} and an ixHL^ formula <I>, and returns the set of all pairs of processes from these two LTS that 
satisfy 0. Model checking is done by simply computing the semantics of each such subformula on the 
two underlying LTS. 

The difference to model checking the modal -calculus is the handling of higher-order subformulas. 
Note that the semantics of a function of type Prj ^ Pr2" Pr2 over a pair of LTS with ni, 

respectively nx many processes can be represented as a table with (2"' many entries — one for each 
possible combination of argument values to this function. Algorithm MC is designed to compute such a 
table for the corresponding subformulas. 

Theorem 1. Let ^ be a closed jjL]iL,\ formula of size k, and S/'x^S^^he two finite LTS, each of size n at 
most. The call of MCfO, []j correctly computes [0 h : Pr2] with respect to c^i, ^2 in time G(n^ ■T'^^^^). 

Proof. (Sketch) Correctness is established through a straight-forward induction on the structure of <I>. 
Note that the theorem is too weak to be used as an inductive invariant. Instead, one can easily prove the 
following stronger assertion: for any provable statement F h *P : T and any interpretation Tj, MC(*F, 77) 
computes [[F h *F : z\-q. For most cases this follows immediately from the definition of the semantics 
and the induction hypothesis. For fixpoint formulas it also uses the well-known characterisation of least 
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Algorithm 1 Model Checking /iHLj 

procedure MC(<I>,p) > assume J; = (Pr,-, Act,— >,) to be fixed for j = 1,2 

case <I> of 

T: return Pri x Pr2 

x: return p (x) \> some variable of type Prj —>•...—>■ Pr^ Pr2 

return (Pri x Pra) \ MC(»F,p) 
»FiA»F2: return MC(»Fi,p)nMC(»P2,P) 

(a)i»I': return {(^1,^2) | 3P' G Pri s.t. Pi -^iP' and (^',^2) € MC(»P,p) } 
(a)2'I': return {(^1,^2) | 3P' G Pr2 s.t. P2 -^iP' and (Pi,P') G MCei',p) } 
Xxi,... ,xm : Vr\' ...^ Pri"' Prs: 
for all {Ti,..., T,„) G (2^^' >^p^2)'« do 

P(ri, . ^ MC(»P, T][xi^n,...,X,n^ Tm]) 

end for 
return F 

... %n-- 

return MC(*,p)(MC(»Pi ,p),. . . ,MC(»P„,p)) 
/ix : Pr^' ^ . . . ^ Pr^"" ^ Pr2.»i': 

for all (ri , . . . , r„,) G (2^^! ^ do 

p(ri,...,r^)^0 

end for 
repeat 

for all (Ti , . . . , r„) G {2^'r^ Pr2 ^m 

F{n,...,Tm)^MC{^,p[x^F']) 
end for 
unta F = F' 
return F 
end case 
end procedure 



fixpoints by their chain of approximants. Note that the underiying power lattice is finite, even for higher- 
order types. Thus, fixpoint iteration from below — as done in algorithm MC — converges to the least 
fixpoint of the corresponding function in a finite number of steps. 

The upper bound on the worst-case running time is established as follows. Note that k is an upper 
bound on the arity of each subformulas first-order type, i.e. in Prj' ...^ Fr^"' — )■ Pr2 we have m<k. 
Clearly, the running time for each case-clause is dominated by the one for fixpoint formulas which 
— disregarding recursive calls — can be done in time ^(w^ -2" '^). Note that it needs to fill a table 
with 2" many entries using fixpoint iteration. Each table entry can change at most n many times 
due to monotonicity. Furthermore, note that it is not the case that the semantics of each subformula 
is only computed once. Because of nested fixpoint formulas, we obtain an additional exponent which 
is bounded by the number of fixpoint formulas, i.e. also bounded by k, resulting in an upper bound of 
^(n2.2'''*'). □ 

This establishes exponential-time upper bounds for all the process equivalence relations which can 
be defined in /iHLj. 
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Corollary 2. Trace, completed trace, failure, failure trace, readiness and ready trace equivalence can 
be checked in time 2'^^" 

It is easily checked that for /xHL^ formulas, algorithm MC runs in time i^{{kn^Y). By instantiation 
we obtain polynomial-time algorithms for further process equivalences. 

Corollary 3. Completed, ready, 2-nested, bi- and simulation equivalence can be checked in polynomial 
time. 

We point out that algorithm MC can be made to work symbolically on BDDs just Uke the algorithm 
for the jU-calculus can A function is then represented as a table of BDDs. Furthermore, it can 
straight-forwardly be extended to higher orders which increases the complexity by one exponential per 
order. As a result, we obtain the following. 

Proposition 4. Possible-futures equivalence can be checked in doubly exponential time. 
5.3 Need-Driven Function Evaluation 

Algorithm MC computes values for functions in a very naive and brute-force way: it tabulates all possible 
arguments to the function and computes all their values. This results in far too many value computations 
than are needed in order to compute |0 h <I> : Pr2]] for any closed formula 0. Consider for example 
:Pr2.[a]2X) _L. Its semantics is the set of all pairs {P,Q) such that 2 has no a-successors. However, 
algorithm MC would compute the set of all pairs (P, Q) such that all a-successors of Q belong to the 
second components of any set of pairs {P, Q'). 

Need-driven function evaluation avoids these unnecessary computations. For formulas without fix- 
point quantifiers it could easily be realised by evaluating arguments first, and then passing these values 
to the computation of the function, comparable to lazy evaluation in functional programming. Need- 
driven function evaluation in the presence of fixpoint quantifiers is more complicated, though HI. For 
recursively defined functions it is not sufficient to simply compute their value on a given argument using 
fixpoint iteration for instance, but the computation of the value on some argument may need the value on 
some other argument. Need-driven function evaluation intertwines the computation of these values with 
the exploration of the function's domain 121. The following example shows the optimising potential of 
this technique. 

Example 1. Consider the two LTS presented in Fig.Hl Let Si = {0, 1} and ^2 = {2,3,4} be their state 
spaces. We will show how need-driven function evaluation works on algorithm MC, these two LTS and 
the formula that tests for trace equivalence over Act = {a,b}, namely 

«Dt = {^F{X,Y). {XAY) V {F {a)iX [a]2Y) V {F {b)yX [b]2Y)) T ± . 

Note that it should be true on a pair (P, Q) of processes iff P has a trace that Q does not. 

<I>t defines a function ^ via least-fixpoint recursion. It takes two arguments X and Y and returns the 
union of their intersection with the value of ^ applied to two other sets of arguments, defined by {a)\X 
and [a]2Y in one case and equally with b in the other. Moreover, we are interested in the value of ^ on 
the argument pair {S\ x 52,0). 

Need-driven function evaluation builds the table for ^ via fixpoint iteration, i.e. by building its 
approximants , ... with ^"(X,F) = for any X,y C Si x S2, starting with the ai^gument on 

which we need the function's value. Since is recursively defined, the value on this argument may 
need the value on other arguments. Fig. |4] shows the part of the dependency graph that is reachable from 
this initial argument, where an arrow {X,Y) --^ {X' ,Y') states that the computation of the value on {X,Y) 
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{0}XS2 
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Six {2} 


Six{3,4} 


S1XS2 
















^1 





{(1,2)} 


{(0,3), (0,4)} 







{(1,2)} 


{(1,2),(0,3),(0,4)} 


{(1,2),(0,3),(0,4)} 





^3 


{(1,2), (0,3), (0,4)} {(1,2), (0,3), (0,4)} 


{(1,2),(0,3),(0,4)} 





^4 


{(1,2), (0,3), (0,4)} {(1,2), (0,3), (0,4)} 


{(1,2),(0,3),(0,4)} 






Figure 4: Example of need-driven function evaluation for trace equivalence checking. 



triggers the first recursive call on (X',F'). Similarly, an arrow shows the dependency via the second 
recursive call. 

Finally, Fig. |4] shows the table of values computed by fixpoint iteration restricted to those arguments 
that occur in the dependency graph, i.e. the part of the function's domain which is necessary to iterate 
on until stability in order to determine the tixpoint's value on the initial argument. The optimising 
potential of need-driven function evaluation is justified by the table's width: note that the naive version 
of algorithm MC would fill that table for all possible arguments of which there are (fi'^Y = 4096 while 
it suffices to reach stability on these 4 arguments alone. 

5.4 Partial Evaluation 

The example above shows another potential for optimisation. Remember that the formals defining pro- 
cess equivalences do not depend on the actual LTS on which they are being evaluated. Thus, we can 
devise a simpler algorithm for trace equivalence for instance by analysing the behaviour of MC on an 
arbitrary pair of LTS and the fixed formula <I>t. We note that the filling of the table values follows a 
simple scheme: the value in row / at position (X, F) is the union of three values, namely the one in row 1 
of this position and the values in row / — 1 of the two successors of (X, F) in the dependency graph. This 
leads to the simple Algorithm [2] for trace equivalence checking. 

6 Conclusion and Further Work 

We have presented a highly expressive modal fixpoint logic which can define many process equivalence 
relations. We have presented a model checking algorithm which can be instantiated in order to yield 
decision procedures for the relations on finite systems. This re-establishes already known decidability 
results Q. Its main contribution, though, is the — to the best of our knowledge — first framework 
that provides a generic and uniform algorithmic approach to process equivalence checking via defining 
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Algorithm 2 Trace Equivalence Checking 



procedure TrEq(5"i , ^2) 
Xo ^ Pri X Pr2 

W = {{Xo,Yo)} 
^ = 

while ^ 7^ do 

remove some {X,Y) from W 
for all a G Act do 

{X',Y')^{{a),X,[a]2Y) 
da{X,Y) ^ {X',Y') 
& ^ &U{{X,Y)} 
if (X',r) 0^theii 

yT ^^U{(X',F')} 
end if 

end for 

end while 

for all (X,F) G ^do 
I{X,Y) ^xnY 
^0 

end for 
repeat 

for all (X,y) € ^do 

F{X,Y) ^I{X,Y)U[j,^j,,,F{da{X,Y)) 
end for 

until F does not change anymore 

return F(Xo,F'o) 
end procedure 



>let 5J= (Pr,-,Act,^i) 



> work list 

domain of the dependency graph 
build dependency graph 



> record arrows in dependency graph 



formulas. In particular, it allows technology from the well-developed field of model checking to be 
transferred to process equivalence checking. 

There is a lot of potential further work into this direction. The exponential-time bound for the 
trace-like equivalences is not optimal since they are generally PSPACE-complete [7|. It remains to be 
seen whether the formulas defining them have a particular structure that would allow a PSPACE model 
checking algorithm for instance. This would make a real improvement since model checking /XHL2 is 
EXPTIME-hard in general which follows from such a bound for the first-order fragment of HFL lO. 
Also, it remains to be seen whether or not possible-futures equivalence can be defined /1HL2. 

We leave the exact formulation of a model checking procedure for the entire logic /iHL® for fu- 
ture work. Such an algorithm may be interesting for other fields as well, not just process equivalence 
checking. 

There are more equivalence relations which we have not considered here for lack of space, e.g. 
possible-worlds equivalence, tree equivalence, 2-bounded trace bisimulation, etc. We believe that creat- 
ing defining formulas for them in /iHL® is of no particular difficulty. 

We intend to also investigate the practicability of this approach. To this end, we aim to extend an 
existing prototypical implementation of a symbolic model checking tool for the higher-dimension jj.- 
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calculus to fxm,\, and possible /iHL^ in general. We believe that using need-driven function evaluation 
and partial evaluation techniques will have a major influence on the applicability of the algorithms ob- 
tained by instantiating the generic model checking procedure with a fixed formula. 
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A Definitions of Process Equivalences 

Finite Trace Equivalence. Let T{P) := {; | 3Q.P Q} be the set of all finite traces of P. Two processes 
P and Q are finite trace equivalent, P ~t if T{P) = T{Q). 

Completed Trace Equivalence. A sequence t G Act* of a process P is a completed trace if there is a 2 
s.t. P^Q and 1{Q) = 0. Let CT{P) be the set of all completed traces of P. Two processes P and Q are 
completed trace equivalent, P ~ct 2> if T{P) = T{Q) and CT{P) = CT{Q). 

Failures Equivalence. A pair {t,A) is a failure pair of P if there is a process Q s.t. P-^Q and /((2) fiA = 
0. Let denote the set of all failure pairs of P. Two processes P and Q axe failures equivalent, P ~f Q, 
if F{P)=F{Q). 

Failure Trace Equivalence. A failure trace is a m G (ActU2'^'^)*. We extend the reachability relation of 
processes to failure traces by including P P for any P and the triples P -^ft Q whenever I{P) flA = 0, 

and then closing it off under compositions: if P^ft/? and/?^ft(2 then P^^^ftQ. LetFr(P) := {u \ 
3Q-P-^itQ} be the set of all failure traces of P. Two processes P and Q aie failure trace equivalent, 
Pr^HQ,itFT{P)=FT{Q). 

Readiness Equivalence. A pair {t,A) is a ready pair of P if there is a process Q s.t. P^Q and A = I{Q). 
Let R{P) denote the set of all ready pairs of P. Two processes P and Q are ready equivalent, P 2> if 

R{P)=R{Q). 

Ready Trace Equivalence. A ready trace is a m € (Act U2''^'^*)*. We extend the reachability relation 
of processes to ready traces by including P -^rt and P -^rx. Q whenever I{P) = A, and closing it off 
under compositions as in the case of failure trace equivalence. Let RT{P) := {m | 3Q P -^rt Q} be the set 
of all ready traces of P. Two processes P and Q are ready trace equivalent, P ^rt if RT{P) = RT{Q). 
Possible-Futures Equivalence. A pair {t,L) is a possible future of P if there is a process Q s.t. P 
and L = T{Q). Let PF{P) be the set of all possible futures of P. Two processes P and Q are possible- 
futures equivalent, P ~pf Q, if PF{P) = PF{Q). 

Simulation Equivalence. A binary relation is a simulation on processes if it satisfies for any a G Act: 
if {P, Q)^^ and P -^P' , then 32'. 2 2' and (P', Qf) G ^. P and g are j imi/ar, P -s 2, if there are 
simulations M and ^' s.t. (P, Q) G ^ and (2,P) e 

Completed Simulation Equivalence. A binary relation ^ is a completed simulation on processes if 
it satisfies for any a G Act: if (P,2) G and P-^P', then 3Q'.(2-^e' and (P',Q') G And if 
(P, 2) S =^ then /(P) = 7(2) = 0. Two processes P and 2 are completed simulation equivalent, 
P ~cs Q, if there are completed simulations S/i and s.t. (P, Q) G and (e,P) G . 
Ready Simulation Equivalence. A binary relation ^ is a ready simulation on processes if it satisfies 
for any a G Act: if (P,(2) G ^ and P-^P', then ^^'.^-^g' and (P',(2') G And if (P,0 e ^ 
then /(P) = Two processes P and Q are reat/y simulation equivalent, P '^rs 2' if there are ready 
simulations M and Si' s.t. (P, g) G and {Q,P) G 

2-Nested Simulation Equivalence. A binary relation S? is a 2-nested simulation on processes if it 
satisfies for any a G Act: if (P, Q) G M and P -^P', then 3Q'.Q-^ Q' and (P', 2') G ^. And if (P, 2) G ^ 
then 2 ~s ^- Two processes P and 2 are 2-nested simulation equivalent, P ~2s Q, if there are 2-nested 
simulations ^ and ^' s.t. (P, 2) G >^ and (2,P) G 

Bisimulation. A binary relation ^ is a bisimulation on processes if it satisfies for any a G Act: if 

(P,2) G =^ and P^P', then 32'.2-^<2' and (P',2') G And if (P,2) G ^ and Q-^Q', then 
BP'.P P' and (P', 2') G S^. Two processes P and Q are bisimilar, P Q, if there is a bisimulation ^ 
s.t. (P,2) G^. 



